SOURCES/CVE-2022-40897.patch

@@ -0,0 +1,13 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e958..a90b810 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 

SPECS/python2-setuptools.spec

@@ -28,7 +28,7 @@
 
 Name:           python2-setuptools
 Version:        39.0.1
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        Easily build and distribute Python packages
 
 Group:          Applications/System
@@ -44,6 +44,12 @@ Patch0:         skip-internet-requiring-tests.patch
 # Resolved upstream: https://github.com/pypa/setuptools/pull/1319/
 Patch1:         fix-wheel-tests-compatibility.patch
 
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+# The patch is backported without test because that requires pytest.timeout.
+Patch2:         CVE-2022-40897.patch
+
 BuildArch:      noarch
 
 BuildRequires:  gcc
@@ -111,6 +117,7 @@ rm setuptools/tests/test_integration.py
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %if %{with python2}
@@ -200,6 +207,10 @@ PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) py.test-%{python2_version} --ignore=
 %endif #with bootstrap
 
 %changelog
+* Tue Oct 03 2023 Lumír Balhar <lbalhar@redhat.com> - 39.0.1-14
+- Fix for CVE-2022-40897
+Resolves: RHEL-9763
+
 * Wed Jan 13 2021 Charalampos Stratakis <cstratak@redhat.com> - 39.0.1-13
 - When building for Flatpak inclusion, build in bootstrap mode
 Resolves: rhbz#1907597